PHISH? Paypal -> auto attach pp.file\pixel.gif ?

[jlockley]

After receiving no response for two days to requests of Pay Pal to confirm or deny legitimacy of informatin requests I stupidly let curiosity get the better of me and hit the site with false information. (In my defense, the given address is

http://www.paypal.com/something

or other etc.)
After accepting my update as the local District Attorney's office, it apparently dropped a java script on my computer which is attempting to send out an attachment "pp.files/pixel.gif" (note forward slash). I am thinking keystroke logger?

Neither Norton nor AD-Aware has picked up on the cause. Email program is Eudora. W2k. Don't use Outlook, which could be why the script seems to be mal functioning. Neither pp.files nor pixel.gif seem resident on the computer, but Eudora has been directed to send them out. How do I get at this baby?

(Loud noises in background is dope slapping self).

 

[jlockley]

Whatever it was, Spybot seems to have chewed it up. Very, very weird behavior.

 

[Wxguesser]

FYI,

Having had similar phishing schemes foisted on me, PayPal did send me an email saying that one way to tell the difference is that PayPal WILL use the name you registered with, not "Dear PayPal user" in any correspondance they send you. I'm surprised they haven't gotten back to you as they are usually quite prompt.

Jim W.

 

[jlockley]

Nope. I have sent at least four messages.

 

[MichealC4]

Paypal has never been prompt for me, I'm still waiting to hear back from them on one thing I reported and it has been what, 6 months? Last thing I reported took 3 months ... At any rate, I'm interested in seeing that file if you run across it again.

----------------------------
"Security is like an onion" - Unknown

 

[jlockley]

I kicked out a lot of trash after it became apparent that my emails were attempting to send out more than planned, so I can't send you the specific file that seems to have been loaded onto my desktop, if that's what you mean, but here is the email. As I know now, it was falsified, but check the link. That's what I found confusing and why I inquired with Pay Pal, then went ahead and tapped in myself when there was no reply in a couple of days.

Received: (qmail 10977 invoked from network); 21 Oct 2004 12:30:33 -0000
Received: from pre-smtp02-02.prod.mesa1.secureserver.net ([64.202.166.26])
(envelope-sender <root@lestat.processing.net>)
by smtp04-01.prod.mesa1.secureserver.net (qmail-ldap-1.03) with SMTP
for <my address>; 21 Oct 2004 12:30:33 -0000
Received: (qmail 31260 invoked from network); 21 Oct 2004 12:30:29 -0000
Received: from unknown (HELO lestat.processing.net) ([168.103.150.113])
(envelope-sender <root@lestat.processing.net>)
by pre-smtp02-02.prod.mesa1.secureserver.net (qmail-ldap-1.03) with SMTP
for <my address> 21 Oct 2004 12:30:29 -0000
Received: (from root@localhost)
by lestat.processing.net (8.9.3+Sun/8.9.1) id FAA20741;
Thu, 21 Oct 2004 05:30:47 -0700 (PDT)
Date: Thu, 21 Oct 2004 05:30:47 -0700 (PDT)
Message-Id: <200410211230.FAA20741@lestat.processing.net>
To: my address
Subject: Refresh Your PayPal Account
From: PayPal Team<update@paypal.com>
Content-Type: text/html
X-Nonspam: None

Dear valued PayPal® member:



It has come to our attention that your PayPal® account information needs to be
updated as part of our continuing commitment to protect your account and to
reduce the instance of fraud on our website. If you could please take 5-10 minutes
out of your online experience and update your personal records you will not run into
any future problems with the online service.


However, failure to update your records will result in account suspension.
Please update your records on or before Oct 26, 2004.

Once you have updated your account records, your PayPal® session will not be
interrupted and will continue as normal.

To update your PayPal® records click on the following link:

http://www.paypal.com/cgi-bin/webscr?cmd=_login-run

Thank You.
PayPal® UPDATE TEAM

Accounts Management As outlined in our User Agreement, PayPal® will
periodically send you information about site changes and enhancements.

Visit our Privacy Policy and User Agreement if you have any questions.

http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy-outside

 

[MichealC4]

Hrm. Very interesting indeed.

----------------------------
"Security is like an onion" - Unknown

 

[jlockley]

Well, it's fraud. It's pretty good fraud. But it's fraud.

 

[jlockley]

And not just PayPal. Here, for amusement only, is Otto Schweigenthaler's notice from the Sovereign Internet team. Otto lives somewhere in my head and is rarely allowed to get out and certainly never to do actual banking. It's just an alias we created to allow posting of questions to an Internet group when we didn't want our own name behind them.

This is where it get's interesting. We have, however, borrowed Otto's address to open a PayPal Account for a non profit group, as Paypal won't let me manage it from my standard. Otto has been getting phony PayPal. Another alter ego account with no PayPal account has not. The logical conclusion that Otto and I have PayPal accounts has to come somehow from PayPal. Anyway, here is the last attempt to get Otto to cough up his private information.



Dear Sovereign customer,

We recently reviewed your account, and suspect that your Sovereign Internet Banking account may have been accessed by an unauthorized third party. Protecting the security of your account and of the Sovereign network is our primary concern. Therefore, as a preventative measure, we have temporarily limited access to sensitive account features.

To restore your account access, please take the following steps to ensure that your account has not been compromised:

1. Login to your Sovereign Internet Banking account. In case you are not enrolled for Internet Banking, you will have to use your Social Security Number as both your Personal ID and Password and fill in all the required information, including your name and your account number.

2. Review your recent account history for any unauthorized withdrawals or deposits, and check your account profile to make sure not changes have been made. If any unauthorized activity has taken place on your account, report this to Sovereign staff immediately.

To get started, please click the link below:

https://www.site-secure.com/cgi-bin/cgig2.exe/sovbank/SID/GetLogon

We apologize for any inconvenience this may cause, and appreciate your assistance in helping us maintain the integrity of the entire Sovereign system. Thank you for your prompt attention to this matter.



Sincerely,

The Sovereign Team

Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your Sovereign account and choose the "Help" link in the header of any page.

 

[crow053]

Forward any phishing scam emails to
spoof@paypal.com

 

[Sympology]

One thing to note is that the links everyone has copied have been just that, copies.

On the original, if you hover over it it will display the ACTUAL address it will go to in the bottom left of your browser, or you can do a Right Click > Properties. This will give the destination address.
It's very basic Hyperlink work. After all if you click on a link, say, Todays Latest News on

http://www.bbc.co.uk,

you don't go to a page called "Todays Latest News on

http://www.bbc.co.uk",

it more likely to be something like.

http://news.bbc.co.uk/aticle12345678?/session54321/login?yes

So Always be warey of hyperlinks.

Stu..

Only the truly stupid believe they know everything.
Stu.. 2004

 

[jlockley]

Well, here's another. Tiny aside: I don't have an ebay account. Attempting to forward this to ebay was interesting, as they demand that you sign up before you can send them mail from their web site, and otherwise, sorry, I can't be bothered. It's their fraud, so let them figure it out. These things get more and more convincing, however.

Yes, and the address comes from China - here the link in reality
<A
href="

http://211.153.20.121/eBay/eBayISAPI.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid="

target=_blank>

http://scgi.ebay.com/verify_id=ebay&amp;user=00626654</A>

Received: (qmail 26222 invoked from network); 7 Nov 2004 05:41:05 -0000
Received: from pre-smtp02-01.prod.mesa1.secureserver.net ([64.202.166.25])
(envelope-sender <anonymous@w13182.hostcentric.net>)
by smtp01-01.prod.mesa1.secureserver.net (qmail-ldap-1.03) with SMTP
for <jll@<snip>.com>; 7 Nov 2004 05:41:05 -0000
Received: (qmail 810 invoked from network); 7 Nov 2004 05:41:05 -0000
Received: from web-site-pages.com (HELO w13182.hostcentric.net) ([216.65.31.202])
(envelope-sender <anonymous@w13182.hostcentric.net>)
by pre-smtp02-01.prod.mesa1.secureserver.net (qmail-ldap-1.03) with SMTP
for <jll@mygroup.com>; 7 Nov 2004 05:41:05 -0000
Received: (qmail 7101 invoked by uid 99); 7 Nov 2004 05:41:06 -0000
Date: 7 Nov 2004 05:41:06 -0000
Message-ID: <20041107054106.7100.qmail@w13182.hostcentric.net>
To: jll@chefsprofessional.com
Subject: TKO Notice: ***Urgent Safeharbor Department Notice***
From: aw-confirm@eBay.com <aw-confirm@eBay.com>
Content-Type: text/html
X-Nonspam: None






***Urgent Safeharbor Department Notice***

Fraud Alert ID : 00626654


You have receive this email because you or someone had used your account to make fake bids on eBay. For security purposes, we are required to open an investigation into this matter. To help speed up this process, you are require to verify your eBay account by following the link below.

http://scgi.ebay.com/verify_id=ebay&amp;user=00626654

Please save this fraud alert id for your reference

Please Note - If your account informations are not updated within the next 72 hours, then we will assume this account is fraudulent and will be cancelled. We apologize for this inconvenience, but the purpose of this verification is to ensure that your eBay account has not been fraudulently used and to combat fraud

We apreciate your support and understading, as we work together to keep eBay a safe place to trade

Thank you for your patience in this matter.

Regards, Safeharbor Department (Trust and Safety Department)
eBay Inc.

Please do not reply to this e-mail as this is only a notification Mail sent ti this address cannot answered

Copyright 2004 eBay Inc. All Rights Reserved.
Designated trademarks and brands are the property of their respective owners.
eBay and the eBay logo are trademarks of eBay Inc. is located at Hamilton Avenue, San Jose, CA 95125



SPAM: ------------------------ Spamnix Spam Report -------------------------
SPAM: Spamnix identified this message as spam. This report shows which
SPAM: rules matched the message and how many points each rule contributed.
SPAM:
SPAM: Content analysis details: (5.0 hits, 5.0 required)
SPAM: 0.0 HTML_TAG_EXISTS_TBODY BODY: HTML has "tbody" tag
SPAM: 0.0 BAYES_50 BODY: Bayesian spam probability is 50 to 56%
SPAM: [score: 53.7%; UDhp:99 N:NNNNNNNN:99]
SPAM: [property:99 security:99 N:H*r:NNN.NN.NN:99]
SPAM: [verify:99 regards:99 combat:99 Mail:99 eBay:99]
SPAM: [purposes:99 ensure:99 assume:99 reply:99]
SPAM: [N:NNNNNNNNNN:99 ebay:99 cancelled:99 safe:99]
SPAM: [trademarks:98 H*r:qmail:98 owners:98]
SPAM: [H*r:invoked:98 investigation:98 fake:98]
SPAM: [answered:98 respective:98 UD:yahoo.com:3 items:3]
SPAM: [H*c:html:96 fraud:96 verification:96 trade:96]
SPAM: [Department:96 require:96 amp:96 H*r:uid:96]
SPAM: [N:H*M:NNNNNNNNNNNNNN:96 purpose:96]
SPAM: [informations:96 kinds:96 H*r:HELO:96 San:5]
SPAM: [Rights:5 Reserved:5 Jose:5 alert:5 brands:5]
SPAM: [located:5 together:5 user:6 URI:6 copyright:6]
SPAM: [From:6 matter:6 open:7 N:NNNNNN:7 updated:7]
SPAM: [Avenue:9 support:9 2004:9 logo:10 H*M:net:10]
SPAM: [thank:12 used:13 next:13 help:13 Inc:13]
SPAM: [following:14 but:14 their:14]
SPAM: 0.5 HTML_50_60 BODY: Message is 50% to 60% HTML
SPAM: 0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
SPAM: 0.1 HTML_MESSAGE BODY: HTML included in message
SPAM: 0.3 HTML_FONT_BIG BODY: HTML has a big font
SPAM: 1.0 MIME_HTML_NO_CHARSET RAW: Message text in HTML without charset
SPAM: 0.6 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL
SPAM: 0.9 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME headers
SPAM: 1.3 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
SPAM:
SPAM: Spam level: *****
SPAM: --------------------- End of Spamnix Spam Report ---------------------